MFA enrollment api changed behavior without notice

Hi, our app is using the following management api endpoint
GET
/api/v2/users/{id}/enrollments

This endpoint has changed inside the documentation because before, title was “Get a list of multi-factor authentication enrollments” and was fetching “pending” enrollments as well. Now has for title “Get the first confirmed multi-factor authentication enrollment”, only a single enrollment is sent, and no pending ones

This change made our app throw errors and impacted our end users.

Can you

  • Explain this change?
  • How do you manage api versionning, since this looks like a breaking change to me
  • Where the changelog mentionning it can be found, so that we can subscribe to it (it doesnt not seem to appear in

Here you can see a screenshot from the old doc version, cached on the 5th of august.

1 Like

Please bear with me for a bit and don’t take what I’m about to say as trying to deflect blame. With that disclaimed I did some quick research and I can indeed find chatter about updating the documentation for that particular endpoint. However, I can also find conversation internally dating from March this year that would indicate that this specific endpoint always (and somewhat confusingly to its name) returned the first authenticator.

Can you share some additional information that may help me chasing this situation a bit more, in particular, does your system call that endpoint directly or does it use or ever used before an SDK that would wrap that call? In addition, when did you notice this change for the first time?

1 Like

Hi João thanks for your answer,

The issue that was raised for us is not that it only returns a single enrollment (and not an authenticator), but that it doesnt returns anymore a “pending” enrollment.

  • We are using this call through the auth0 php sdk v5.7 (as of today).
  • We noticed this the first time on the 9th of september.

Okay, thanks for clarifying, I focused too much on the screenshot which stated the all authenticator enrolments thing that in reality is not the core of your issue. Based on your update the issue was that the change that impacted you was that you were previously able to obtain a pending enrolment through the SDK call and now you are unable to do so. I’ll check this internally a bit more as this was indeed not the focus on my previous research; I will likely only have an update for you next week though.

2 Likes

I checked this situation, including the the logic behind that endpoint and I don’t see any sufficiently recent change in the endpoint logic itself. The filters in place to only return the first one have been there for a while and another filter in there which could possibly also impact the response did not change recently as well. There’s always a possibility for the reason being upstream to this specific endpoint, but that does complicate this analysis further.

Can you confirm the steps you would use to be able to take in terms of user journey/actions and that would lead to that endpoint responding with something that it no longer returns?

1 Like

Hi,

we already made necessary fixes to no longer depend on “pending” enrollments. We were previously trying to remove other pending enrollments when trying to validate a given one. We did this because we noticed errors when users were starting and then not completing an enrollment (we implemented 2FA and this enrollment workflow in our app last september).
Is this the information you were looking for?

I think that pending enrollments no longer exists on your side, or at least are no longer visible through the api ?

Yes, the use case (scenario) where you were having pending ones being returned. Which MFA factors do you use? So I can try to do the same steps locally (starting, but not completing an enrollment) and possibly see if I can get more details on this.

1 Like

Hi @jmangelo,

We’re using the One-Time password factor .

Okay, thanks; I confess that’s the factor I used to do some quick tests around this situation before, but I’ll repeat them with particular focus on not completing the flow and see what I can find.

1 Like

Just a quick update to let you know that from my tests I now have sufficient data to chase this up with engineering. In particular, although I could not yet trace the exact thing that changed to cause the different behavior it does seem this endpoint could return pending ones in the past. I’ll have to sort the data I found and raise this internally so hopefully next week I should have additional info.